Sunday, February 20, 2011

Spy techno and electronics spy is a favourite one. Got an Android phone? Installedapps from the Android Market? Congratulations, you have been named the Mayor of We Know Where You Went and What You Did Last Week. Got an Android phone? Installed apps from the Android Market? Congratulations, you have been named the Mayor of We Know Where You Went and What You Did Last Week. Is Your Android Phone Spying on You?

A study by researchers at Duke University, Penn State, and Intel Research Labs has revealed that Android apps are collecting location information from users' GPS phones and sharing them without notifying users or asking for permission.

The researchers looked at 30 popular Android apps, including The Weather Channel, MySpace, Evernote, BBC News Live Stream, Yellow Pages, and Spongebob Slide. They used a home-made tool called TaintDroid to track what data was being shared and with whom. The skinny:

Two thirds of these apps violated user privacy by sharing location data or information that could identify individual handsets.

Half of them sent user location information to advertising networks like Admob or analytics companies like Flurry without user consent.

Seven of the apps sent the unique device identification numbers of the GSM user and the handsets' SIM card to its servers.

Two of the apps captured the users' cell phone number along with the ID number and the users' geographical coordinates.

Nice.

Mind you, if the police wanted this information, they'd need a court order. These apps are doling it out like candy to advertising firms and storing it on their own servers. Per the study [PDF]:

This finding demonstrates that Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data. Moreover, we found that one application transmits the phone information every time the phone boots. While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data.

The study did not name which applications shared each kind of information -- a shame, really, because the ones that did not are tarred with the same brush as the guilty ones. Me, I'd uninstall all of them, just to be safe.

While this study was limited to Android apps, the problem is not. I expect to hear a lot more about other apps slurping up GPS and handset information, either accidentally or deliberately, on other handset platforms. The reason we're hearing about Android first is that Android is open source and easier for researchers to access.

It seems the location chickens are coming home to roost. Let's hope you don't end up with egg all over you.